State Finds Providence Acted Appropriately Following Theft of Computer Disks, Tapes
Sept. 26, 2006
PORTLAND, Ore. – Providence Health & Services – Oregon Region announced today that it has reached a voluntary agreement with the Oregon Department of Justice (DOJ) regarding a theft of computer disks and tapes in December of 2005. Those disks and tapes contained records of 365,000 Providence Home Services patients.
In the agreement, the state acknowledges that Providence took appropriate actions following the incident. Those actions included notifying patients, establishing a toll-free hotline number to handle questions and providing credit monitoring and restoration services. The DOJ chose not to fine or penalize Providence in the case. For its part, Providence has agreed to pay $95,764 to the DOJ’s Consumer Protection and Education Revolving Account. That amount represents:
$13,000 for the reimbursement of DOJ’s expenses in responding to the case, and,
$82,764 representing nine months of an assistant attorney general’s services.
Providence hopes that this will help the department address future cases of information and identity theft.
Providence will also continue providing the credit services it has already contracted for, and will consider extending the duration of the services, if necessary. “We’re grateful that there have been no verifiable instances of the data on the disks and tapes being used for identity theft,” said Russ Danielson, chief executive Providence Health & Services – Oregon Region. “We’re also committed to working with the Oregon Attorney General and other interested parties in developing legislation that deals with the issues of information and identity theft.” Providence has also offered to make its expertise available to the State of Oregon and other companies who have also dealt with data loss.
Providence Hospice and Home Care of Snohomish County Provides Identity Monitoring Services to Patients Following Data Thefts
March 6, 2006
Everett, Wash. — Providence Hospice and Home Care of Snohomish County has contacted patients following thefts of laptop computers that hold confidential patient information. The thefts involve the records of Snohomish County hospice patients and home care patients.
Important notes:
The data thefts affect 97 hospice patients and 25 home care patients.
Other patients of Providence Hospice and Home Care of Snohomish County are not affected.
There is no indication that the stolen information has been used for identity theft.
Based on these recent thefts, Providence is further investigating two other thefts of laptop computers that occurred in September and December 2005, to assure that the patients affected by these thefts have been provided additional assistance in safeguarding their personal information.
Providence is encouraging those affected to take appropriate action to protect themselves due to the nature of the stolen data, which includes Social Security numbers and demographic information.
Providence is providing a package of identity and credit restoration and monitoring services to each affected patient at no cost.
The data, affecting 97 hospice patients, were on a laptop computer stolen from the car of a Providence employee on February 27, 2006. A second theft of a laptop on March 3, 2006, included information on 25 home care patients. The September theft involved 8 hospice patients; the December theft involved 14 home care patients.
The employees involved in the 2006 thefts were not following Providence Health & Services policy, which requires that confidential data be secure at all times. Providence has made changes to further secure the data contained on similar laptop computers used by other hospice and home care employees.
“We recognize the significance of the personal information that was stolen,” said Gail Larson, chief executive of Providence’s Northwest Washington Service Area. “We are truly sorry.”
We sincerely apologize to everyone affected by these incidents. Even though we have no indication that the data has been accessed, we are doing all we can to help our patients protect their information.”
Providence is taking several specific actions for patients:
Calling and sending letters to every affected patient, encouraging them to place fraud alerts on their files at one of the three major credit bureaus.
Providing identity and credit restoration and monitoring services to every affected patient at no cost.
Staffing a call center for questions from affected patients. Toll-free hotline: 1-866-347-8171.
Staffing a call center for patients who are unsure if they are affected by the thefts. Toll-free hotline: 503-215-6629.
Update From Providence Regarding Data Theft
Feb. 24, 2006
Portland, Ore. — Efforts continue by Providence Home Services to respond to patient needs following the theft of tapes and disks containing sensitive data. New information includes:
Following a confidential and thorough internal review process of the data storage procedures that led to the theft, four employees have left employment with Providence Health & Services.
Providence will support reasonable legislation that would outline a uniform process for reporting compromised or stolen data.
“Our goal is to do the right thing – to set the bar in how organizations should respond to situations such as this,” said Russ Danielson, vice president and chief executive for Providence Health & Services, Oregon Region. “We also recognize the public nature of this story, the need to continue to support our patients and provide updated information, and our intent to remain consistent with our core values.”
Other key points include:
Providence has proactively notified the 365,000 patients whose data was on the stolen tapes and disks. Providence also set up call centers and a Web site to provide additional information, www.providence.org.
Starting next week, people whose data was on the stolen tapes and disks will receive a letter from Kroll, Inc., a company that Providence has contracted with to provide a package of monitoring and restoration services free of charge.
Within Providence, steps are being taken to ensure that all data storage processes follow the system policy, which is best practice in the industry. Providence has already taken steps to correct the Home Services data process.
Providence has received no verified reports of illegal use of the stolen data.
“We have said from the beginning that we will do the right thing for those we serve,” said Danielson. “We want to regain the trust of our patients and communities.”
Providence Announces Agreement to Provide Monitoring, Restoration Services in Data Theft
Feb. 14, 2006
Portland, Ore. — Providence Health & Services announced today it has finalized an agreement with Kroll Inc. to provide its ID TheftSmart™ package of monitoring and restoration services to those affected by the recent data theft at Providence Home Services. The services will be provided free of charge to those affected.
“We think this will help address the concerns of our patients and their families, and help put their minds at ease,” said Rick Cagen, chief executive, Portland Service Area, Providence Health & Services. “We have heard from patients that the process to notify the credit agencies can be difficult, and we appreciate the time they have spent as a result of the theft.”
Kroll’s ID TheftSmart™ provides access to continuous monitoring of credit files and investigates potential identity theft cases. In those cases of actual fraudulent activity, the company works to restore the victim’s identity to its pre-ID theft status.
Providence Home Services patients affected by the data theft will be notified by mail and given the opportunity to sign up for the ID TheftSmart™ services. Patients who have questions about signing up for the services may call 503-215-6629. Additional information is also available at www.providence.org.
New Information in Home Services Data Theft
Feb. 2, 2006
Portland, Ore. — Providence Health & Services executives met with representatives of the Oregon Attorney General’s office today to provide them information regarding the recent data theft of 365,000 Home Services patients. While we cannot comment on our discussion, we can tell you that we appreciate their oversight of consumers in Oregon and we are responding to their requests.
There is some information we’d like our patients and communities to be aware of:
Providence is working with an expert organization to offer a package of services for all affected patients. Patients will be notified with additional information.
Both Providence and the Attorney General’s office have been receiving calls from patients who have received “predator” phone calls. These scam artists are portraying themselves as Providence employees and asking for personal information such as social security numbers and bank accounts so they can “verify” the stolen data. Providence employees are not calling Home Services patients to ask for this information in relation to the stolen data. People receiving phone calls are encouraged to notify their local police department.
Customer service phone lines continue to answer calls from patients. To date we have talked with approximately 10,000 patients and had about 27,000 Web hits. Patients can continue to call our customer service center at 503-215-6629 for more information, or can access our Web site at www.providence.org.
An additional note for your audiences: People scheduled for services in our hospitals and clinics such as surgery or appointments may receive calls from Providence employees to verify patient information. If patients are uncomfortable with the questions, they are given contact information to call back into Providence or they also are welcome to provide the necessary information upon arrival.
Providence Launches Outreach to Home Services Patients After Data Theft
Jan. 25, 2006
Portland, Ore. — Providence Home Services has begun contacting current and former patients following the theft of tapes and disks that hold confidential data. The theft involves the records of some 365,000 patients who received health care through Providence Home Services. Those patients live predominantly in Oregon (83 percent) and Washington (16 percent), with the rest in other states.
TWO IMPORTANT NOTES FOR YOUR AUDIENCES:
This only affects Providence Home Services patients. Patients who have received care through Providence hospitals and clinics – and NOT Home Services – were not affected.
There is no indication that the stolen information has been used for identity theft.
Providence is urging those affected to take appropriate action to protect themselves due to the nature of the stolen data, which includes Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. The disks and tapes also included some information about current and past employees of Providence Home Services.
The data were on computer backup disks and tapes in a case that was stolen from the car of a Providence employee. The theft was reported on Dec. 31, 2005. Providence is working with local law enforcement and the FBI. The duplicate data sources were taken home nightly by designated employees as part of a backup process intended to guarantee access to critical information in case of an emergency at our primary offices. After the theft, Providence immediately made changes to further secure the data. Providence believes the thief would need specialized computer skills to access the data.
“We realize this is a major inconvenience and cause for real concern, and we deeply apologize to everyone affected by this incident,” said Rick Cagen, chief executive of Providence’s Portland Service Area. “Even though we have no indication that the thief has accessed the data, we are doing all we can to help our patients and employees protect their information.”
Providence is taking three specific actions for patients:
Mailing letters to all those affected and encouraging them to place fraud alerts on their files at one of the three major credit bureaus.
